Nice. I'll take a look today.
No problem for the "user friendly" thing.
I just want to practice with those vulnerabilites.
2014-02-13 10:36 GMT+01:00 Stephen de Vries stephen@continuumsecurity.net:
On 13 Feb 2014, at 10:16, Paul AMAR aos.paul@gmail.com wrote:
Do you know any Web app vulnerable to HQL Injection ?
Here's one I wrote and use for internal testing:
https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection
in two of the Controllers, e.g.:
https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy
Best to download grails and run it from there so you can play with the
code. If you run: grails war, you can then copy the resulting .war file to
any servlet container like Tomcat, Jetty etc.
Disclaimer: this wasn't really designed for public consumption, just for
my internal testing, so it's not as user friendly as DVWA and other
vulnerable apps.
regards,
Stephen
Nice. I'll take a look today.
No problem for the "user friendly" thing.
I just want to practice with those vulnerabilites.
2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net
:
On 13 Feb 2014, at 10:16, Paul AMAR aos.paul@gmail.com wrote:
Do you know any Web app vulnerable to HQL Injection ?
Here's one I wrote and use for internal testing:
https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection
in two of the Controllers, e.g.:
https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy
Best to download grails and run it from there so you can play with the
code. If you run: grails war, you can then copy the resulting .war file to
any servlet container like Tomcat, Jetty etc.
Disclaimer: this wasn't really designed for public consumption, just for
my internal testing, so it's not as user friendly as DVWA and other
vulnerable apps.
regards,
Stephen
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
This is a very interesting chain. I cover some of these topics in my Black
Hat class 'The Art of Exploiting Injection Flaws'
http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.htm
l
--my 10 cents----
It's worth highlighting that when you encounter HQLi, your input is
interpreted by hibernate. You have 2 attack vectors:
convince Hibernate that it should not manipulate your input and pass it
to database. You can do this by using functions and injecting your "sql" as
argument to functions.
Inject direct hibernate and let the resulting SQL compiled by hibernate
to execute what you want to do on database level.
In my experiments, 2 is rather difficult. Hibernate is very limited language
and does not support union, order by and even comment characters. 1 would
work but there are certain limitations. You cannot query tables which are
not already mapped under hibernate's configuration. So, in my experiments
you can only query tables which are already mapped. You can also return
output of generic functions and keyword like @@version, user etc.
beside this, you may also have a case of Hibernate calling a stored
procedure and the injection point is actually in stored procedure. In which
case, hibernate is just a medium to pass input to stored proc, and the
injection will work like any sqli.
-----end of 10 cents---
Thanks
Sid
Founder/Director
NotSoSecure Limited,
9, Old Forge Way,
Sawston,
CB223BZ
www.notsosecure.com http://www.notsosecure.com
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf
Of prasanna.k
Sent: 13 February 2014 09:57
To: Paul AMAR
Cc: websecurity
Subject: Re: [WEB SECURITY] Web App vulnerable to HQL Injection ?
Thanks for the share guys.
PK
On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR <aos.paul@gmail.com
mailto:aos.paul@gmail.com > wrote:
Nice. I'll take a look today.
No problem for the "user friendly" thing.
I just want to practice with those vulnerabilites.
2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net
mailto:stephen@continuumsecurity.net >:
On 13 Feb 2014, at 10:16, Paul AMAR <aos.paul@gmail.com
mailto:aos.paul@gmail.com > wrote:
Do you know any Web app vulnerable to HQL Injection ?
Here's one I wrote and use for internal testing:
https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection in
two of the Controllers, e.g.:
https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/contr
ollers/net/continuumsecurity/ropeytasks/TaskController.groovy
Best to download grails and run it from there so you can play with the code.
If you run: grails war, you can then copy the resulting .war file to any
servlet container like Tomcat, Jetty etc.
Disclaimer: this wasn't really designed for public consumption, just for my
internal testing, so it's not as user friendly as DVWA and other vulnerable
apps.
regards,
Stephen
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org mailto:websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi there,
@Sid, thanks for those informations;
I tried to get as much resource as I could and I started to develop a tool
to exploit those HQL injections.
Feel free to check it (and fork?) : https://github.com/PaulSec/HQLmap
I just wanted something really simple to highlight those vulns.
However, the next step would be to add a new dbms and integrate it in
SQLmap which seems a good idea (thanks to Philippe).
Cheers
2014-02-19 10:37 GMT+01:00 sid sid@notsosecure.com:
This is a very interesting chain. I cover some of these topics in my Black
Hat class 'The Art of Exploiting Injection Flaws'
http://blackhat.com/us-14/training/the-art-of-exploiting-injection-flaws.html
--my 10 cents----
It's worth highlighting that when you encounter HQLi, your input is
interpreted by hibernate. You have 2 attack vectors:
convince Hibernate that it should not manipulate your input and pass it
to database. You can do this by using functions and injecting your "sql" as
argument to functions.
Inject direct hibernate and let the resulting SQL compiled by hibernate
to execute what you want to do on database level.
In my experiments, 2 is rather difficult. Hibernate is very limited
language and does not support union, order by and even comment characters.
1 would work but there are certain limitations. You cannot query tables
which are not already mapped under hibernate's configuration. So, in my
experiments you can only query tables which are already mapped. You can
also return output of generic functions and keyword like @@version, user
etc.
beside this, you may also have a case of Hibernate calling a stored
procedure and the injection point is actually in stored procedure. In which
case, hibernate is just a medium to pass input to stored proc, and the
injection will work like any sqli.
-----end of 10 cents---
Thanks
Sid
Founder/Director
NotSoSecure Limited,
9, Old Forge Way,
Sawston,
CB223BZ
From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] *On
Behalf Of *prasanna.k
Sent: 13 February 2014 09:57
To: Paul AMAR
Cc: websecurity
Subject: Re: [WEB SECURITY] Web App vulnerable to HQL Injection ?
Thanks for the share guys.
PK
On Thu, Feb 13, 2014 at 3:18 PM, Paul AMAR aos.paul@gmail.com wrote:
Nice. I'll take a look today.
No problem for the "user friendly" thing.
I just want to practice with those vulnerabilites.
2014-02-13 10:36 GMT+01:00 Stephen de Vries <stephen@continuumsecurity.net
:
On 13 Feb 2014, at 10:16, Paul AMAR aos.paul@gmail.com wrote:
Do you know any Web app vulnerable to HQL Injection ?
Here's one I wrote and use for internal testing:
https://github.com/continuumsecurity/RopeyTasks/ there's HQL injection
in two of the Controllers, e.g.:
https://github.com/continuumsecurity/RopeyTasks/blob/master/grails-app/controllers/net/continuumsecurity/ropeytasks/TaskController.groovy
Best to download grails and run it from there so you can play with the
code. If you run: grails war, you can then copy the resulting .war file to
any servlet container like Tomcat, Jetty etc.
Disclaimer: this wasn't really designed for public consumption, just for
my internal testing, so it's not as user friendly as DVWA and other
vulnerable apps.
regards,
Stephen
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org